Cloudera Docs

LDAP User Sync Configuration

You can allow LDAP User Sync for NiFi by using Cloudera Manager safety valves for authorizers.xml to extend the configuration.

The user group provider, once defined, can be used to replace the default user group property for file access providers.

Property Name Description Allowable Values
xml.authorizers.userGroupProvider.ldap-user-group-provider.class The fully qualified Java NiFi class name used by the LDAP User Group Provider.

Only one allowable value supported.

 org.apache.nifi.ldap.tenants.LdapUserGroupProvider
xml.authorizers.userGroupProvider.ldap-user-group-provider.property.Authentication Strategy How the connection to the LDAP server is authenticated. ANONYMOUS, SIMPLE, LDAPS, or START_TLS.
xml.authorizers.userGroupProvider.ldap-user-group-provider.property.Manager DN The DN of the manager that is used to bind to the LDAP server to search for users.
xml.authorizers.userGroupProvider.ldap-user-group-provider.property.Manager Password The password of the manager that is used to bind to the LDAP server to search for users.
xml.authorizers.userGroupProvider.ldap-user-group-provider.property.Referral Strategy Strategy for handling referrals. FOLLOW, IGNORE, THROW
xml.authorizers.userGroupProvider.ldap-user-group-provider.property.Connect Timeout Duration of connect timeout. 10 secs
xml.authorizers.userGroupProvider.ldap-user-group-provider.property.Read Timeout Duration of read timeout. 10 secs
xml.authorizers.userGroupProvider.ldap-user-group-provider.property.Url Space-separated list of URLs of the LDAP servers.

Format: ldap://<hostname>:<port>

Example:

ldap://localhost:389
xml.authorizers.userGroupProvider.ldap-user-group-provider.property.Page Size Sets the page size when retrieving users and groups. If not specified, no paging is performed.
xml.authorizers.userGroupProvider.ldap-user-group-provider.property.Sync Interval Duration of time between syncing users and groups.

Minimum allowable value is 10 secs.

 30 mins
xml.authorizers.userGroupProvider.ldap-user-group-provider.property.User Search Base Base DN for searching for users. ou=users,o=nifi

Required to search users.
xml.authorizers.userGroupProvider.ldap-user-group-provider.property.User Object Class Object class for identifying users.

Required if searching for users.

Example: Person, PosixAccount
xml.authorizers.userGroupProvider.ldap-user-group-provider.property.User Search Scope Search scope for searching users.

Required if searching for users.

 ONE_LEVEL, OBJECT, or SUBTREE
xml.authorizers.userGroupProvider.ldap-user-group-provider.property.User Search Filter Filter for searching for users against the User Search Base.

Example: (memberof=cn=team1,ou=groups,o=nifi)

Optional.
xml.authorizers.userGroupProvider.ldap-user-group-provider.property.User Identity Attribute Attribute to use to extract user identity.

Example: cn

Optional. If not set, the entire DN is used.
xml.authorizers.userGroupProvider.ldap-user-group-provider.property.User Group Name Attribute Attribute to use to define group membership.

Example: memberof

Optional.

If not set group membership will not be calculated through the users. Will rely on group membership being defined through Group Member Attribute if set. The value of this property is the name of the attribute in the user ldap entry that associates them with a group. The value of that user attribute could be a dn or group name for instance. What value is expected is configured in the User Group Name Attribute - Referenced Group Attribute.
xml.authorizers.userGroupProvider.ldap-user-group-provider.property.User Group Name Attribute - Referenced Group Attribute If blank, the value of the attribute defined in User Group Name Attribute is expected to be the full dn of the group. If not blank, this property will define the attribute of the group ldap entry that the value of the attribute defined in User Group Name Attribute is referencing (i.e. name).

Use of this property requires that Group Search Base is also configured.
xml.authorizers.userGroupProvider.ldap-user-group-provider.property.Group Search Base Base DN for searching for groups (i.e. ou=groups,o=nifi).

Required to search groups.
xml.authorizers.userGroupProvider.ldap-user-group-provider.property.Group Object Class Object class for identifying groups (i.e. groupOfNames).

Required if searching groups.
xml.authorizers.userGroupProvider.ldap-user-group-provider.property.Group Search Scope Search scope for searching groups.

Required if searching groups.

 ONE_LEVEL, OBJECT, or SUBTREE
xml.authorizers.userGroupProvider.ldap-user-group-provider.property.Group Search Filter Filter for searching for groups against the Group Search Base.

Optional.
xml.authorizers.userGroupProvider.ldap-user-group-provider.property.Group Name Attribute Attribute to use to extract group name (i.e. cn).

Optional. If not set, the entire DN is used.
xml.authorizers.userGroupProvider.ldap-user-group-provider.property.Group Member Attribute Attribute to use to define group membership (i.e. member).

Optional.

If not set group membership will not be calculated through the groups. Will rely on group membership being defined through User Group Name Attribute if set. The value of this property is the name of the attribute in the group ldap entry that associates them with a user. The value of that group attribute could be a dn or memberUid for instance. What value is expected is configured in the Group Member Attribute - Referenced User Attribute. (i.e. member: cn=User 1,ou=users,o=nifi vs. memberUid: user1)
xml.authorizers.userGroupProvider.ldap-user-group-provider.property.Group Member Attribute - Referenced User Attribute If blank, the value of the attribute defined in Group Member Attribute is expected to be the full dn of the user. If not blank, this property will define the attribute of the user ldap entry that the value of the attribute defined in Group Member Attribute is referencing (i.e. uid).

Use of this property requires that User Search Base is also configured. (i.e. member: cn=User 1,ou=users,o=nifi vs. memberUid: user1)